If you are validating user input with JavaScript, be sure to do it on the server side too, because for bypassing your
JavaScript validation a user just needs to turn their JavaScript off.
JavaScript validation is only good to reduce the server load.

3. Do not use user input directly in your SQL queries

Use mysql_real_escape_string() to escape the user input.
PHP.net recommends this function: (well a little different)

If a database user is never going to drop tables, then when creating that user don’t give it drop table permissions,
normally just SELECT, UPDATE, DELETE, INSERT should be enough.

7. Do not allow hosts other than localhost to connect to your database

If you need to, add only that particular host or IP as necessary but never, ever let everyone connect to your database server.

8. Your library file extensions should be PHP

.inc files will be written to the browser just like text files (unless your server is setup to interpret them as PHP scripts),
users will be able to see your messy code (kidding) and possibly find exploits or see your passwords etc.
Have extensions like config.inc.php or have a .htaccess file in your extension (templates, libs etc.) folders with this one line:

Code:

deny from all

9. Have register globals off or define your variables first

Register globals can be very dangerous, consider this bit of code:

PHP Code:
if( user_logged_in() ) {
$auth = true;
}

if( $auth ) {
/* Do some admin stuff */
}

If you have registered globals on and you can’t turn it off for some reason you can fix these issues by defining your variables first:

PHP Code:
$auth = false;
if( user_logged_in() ) {
$auth = true;
}

if( $auth ) {
/* Do some admin stuff */
}
Defining your variables first is a good programming practice that I suggest you follow anyway.

10. Keep PHP itself up to date

Just take a look at www.php.net and see release announcements and note how many security issues they
fix on every release to understand why this is important.

You all techies know that PHP is widely used scripting language ,and it is also easy to code but everything must be done in a proper manner.here are the some useful tips to for optimizing the php code

If a method can be static, declare it static. Speed improvement is by a factor of 4.

** echo is faster than print.

** Use echo’s multiple parameters instead of string concatenation.

** Set the maxvalue for your for-loops before and not in the loop.

** Unset your variables to free memory, especially large arrays.

** Avoid magic like __get, __set, __autoload.

** require_once() is expensive.

** Use full paths in includes and requires, less time spent on resolving the OS paths.

** If you need to find out the time when the script started executing,$_SERVER[’REQUEST_TIME’] is preferred to time().

** See if you can use strncasecmp, strpbrk and stripos instead of regex.

** str_replace is faster than preg_replace, but strtr is faster than str_replace by a factor of 4.

** If the function, such as string replacement function, accepts both arrays and single characters as arguments, and if your argument list is not too long, consider writing a few redundant replacement
statements, passing one character at a time, instead of one line of code that accepts arrays as search and replace arguments.

** Do not use functions inside of for loop, such as for ($x=0; $x <count($array); $x) The count() function gets called each time.

** Incrementing a local variable in a method is the fastest. Nearly the same as calling a local variable in a function.

** Incrementing a global variable is 2 times slow than a local var.

** Incrementing an object property (eg. $this->prop++) is 3 times slower than a local variable.

** Incrementing an undefined local variable is 9-10 times slower than a pre-initialized one.

** Just declaring a global variable without using it in a function also slows things down (by about the same amount as incrementing a local var). PHP probably does a check to see if the global exists.

** Method invocation appears to be independent of the number of methods defined in the class because I added 10 more methods to the test class (before and after the test method) with no change in
performance.

** Methods in derived classes run faster than ones defined in the base class.

** A function call with one parameter and an empty function body takes about the same time as doing 7-8 $localvar++ operations. A similar method call is of course about 15 $localvar++ operations.

** Surrounding your string by ‘ instead of ” will make things interpret a little faster since php looks for variables inside “…” but not inside ‘…’. Of course you can only do this when you don’t
need to have variables in the string.

** When echoing strings it’s faster to separate them by comma instead of dot. Note: This only works with echo, which is a function that can take several strings as arguments.

** A PHP script will be served at least 2-10 times slower than a static HTML page by Apache. Try to use more static HTML pages and fewer scripts.

** Your PHP scripts are recompiled every time unless the scripts are cached. Install a PHP caching product to typically increase performance by 25-100% by removing compile times.
** Cache as much as possible. Use memcached – memcached is a high-performance memory object caching system intended to speed up dynamic web applications by alleviating database load. OP code caches are useful so that your script does not have to be compiled on every request.

** When working with strings and you need to check that the string is either of a certain length you’d understandably would want to use the strlen() function. This function is pretty quick since it’s operation
does not perform any calculation but merely return the already known length of a string available in the zval structure (internal C struct used to store variables in PHP). However because strlen() is a
function it is still somewhat slow because the function call requires several operations such as lowercase & hashtable lookup followed by the execution of said function. In some instance you can improve the speed of your code by using an isset() trick.

** Calling isset() happens to be faster then strlen() because unlike strlen(), isset() is a language construct and not a function meaning that it’s execution does not require function lookups and lowercase.
This means you have virtually no overhead on top of the actual code that determines the string’s length.

** When incrementing or decrementing the value of the variable $i++ happens to be a slower than ++$i. This is something PHP specific and does not apply to other languages, so don’t go modifying your C or
Java code thinking it’ll suddenly become faster, it won’t. ++$i happens to be faster in PHP because instead of 4 opcodes used for $i++ you only need 3. Post incrementation actually causes in the creation
of a temporary var that is then incremented. While pre-incrementation increases the original value directly. This is one of the optimization that opcode optimized like Zend’s PHP optimizer. It is a still a good idea to keep in mind since not all opcode optimizers perform this optimization and there are plenty of ISPs and servers running without an opcode optimizer.

** Not everything has to be OOP, often it is too much overhead, each method and object call consumes a lot of memory.

** Do not implement every data structure as a class, arrays are useful, too.